A fake access point in WLAN (wireless local area network) systems is a wireless access point that has either been installed on a secure company network by an internal without explicit authorization from a local network administrator or has been maliciously added to the system to allow a hacker to conduct a man-in-the-middle attack. In telecommunication, the access point is a base station (BTS).
With a fake BTS the attacker can compromise the communication of a selective set of users (usually only one target) by performing a man-in-the-middle attack between the UE (user equipment) and the real BTS. On the one hand, it acts as a BTS with the strongest signal towards the UE and, on the other hand, acts as a UE towards the core network (and towards a real BTS). A fake BTS can be used to perform eavesdropping (passively listening the conversation), but it can also actively alter the communication flow.
In the specification of 2G (second generation mobile systems), the BTS is not authenticated to the user equipment, making it possible to use a fake base station.
FIG. 1 is an overview illustrating a normal situation in a communication network and FIG. 2 is an overview illustrating a situation in a communication network when there is a man-in-the-middle attack.
In current GSM systems, some encryption algorithms are defined. Of these algorithms, A5/0 to A5/2 are proved to be rather weak encryption algorithms and A5/3, A5/4 are algorithms that are still strong and are considered to be hard to break.
Most 2G systems use A5/1 encryption that can now be cracked in real-time with available equipment. Inserting a device into a mobile system that acts as a fake BTS and can crack A5/1 in real time makes many new attacks feasible that were not considered to be a threat earlier (cf. document [4] mentioned below). Such attacks include but are not limited to breaking GPRS (General Packet Radio Service) communication, impersonating a user and charging calls to him, and eavesdropping otherwise secure communication.
Currently, all GSM (Global System for Mobile Communication) UEs support A5/1. Even when a mobile operator upgrades its base stations to support strong encryption protocols (for example, A5/3), which is very rare nowadays, the UE can be lured by a fake BTS to establish a weak (A5/1) connection since the used encryption algorithm is selected by the BTS.
To prevent the installation of fake access points into a WLAN system, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points. However this is way too expensive in case of a mobile network operator, where the whole country should be covered. Targeted attacks using limited range or directed antennas may not be noticed by other entities anyway. Therefore, another solution is needed.
Some basic approaches are described in the references [1] to [3] mentioned below. However, so far there are no widely available solutions known to reliably detect a fake BTS. Current solutions require special hardware and some are not even publicly available. The CatcherCatcher project (cf. reference [3]) is an ongoing activity to generate alarms on various phone platforms, if the presence of a fake BTS is suspected. The project however, not revealed any particular results yet. Moreover alone the UE cannot be certain in all cases that it camps on a fake BTS. Having too much false alarms is a barrier of getting wide acceptance.